Skip to main content

LUP Student Papers

LUND UNIVERSITY LIBRARIES

5G DDoS Simulation, Machine Learning Models & Multi-Access Edge Computing Applications for Attack Detection and Prevention

Tayebi, Elham LU and Hansen, Lars Breum LU (2025) EITM01 20251
Department of Electrical and Information Technology
Abstract
The increasing use of 5G networks and their application in critical services makes them vulnerable to Distributed Denial of Service (DDoS) attacks. This thesis investigates the detection and mitigation of DDoS attacks in 5G networks using machine learning (ML) methods. In particular, it analyses two exciting convolutional neural network (CNN)-based models: the LUCID model and the Mohak model, and introduces a simpler logistic regression model based solely on packet length. Three datasets were used to evaluate their performance: the publicly available CICDDoS2019 (only UDP flood traffic) and two newly generated simulated datasets – "BoNeSi+Simu5G" and "Mixed Simu5G" datasets.
According to the evaluations, the LUCID and Mohak models... (More)
The increasing use of 5G networks and their application in critical services makes them vulnerable to Distributed Denial of Service (DDoS) attacks. This thesis investigates the detection and mitigation of DDoS attacks in 5G networks using machine learning (ML) methods. In particular, it analyses two exciting convolutional neural network (CNN)-based models: the LUCID model and the Mohak model, and introduces a simpler logistic regression model based solely on packet length. Three datasets were used to evaluate their performance: the publicly available CICDDoS2019 (only UDP flood traffic) and two newly generated simulated datasets – "BoNeSi+Simu5G" and "Mixed Simu5G" datasets.
According to the evaluations, the LUCID and Mohak models struggled to generalise beyond their initial training dataset (CICDDoS2019), particularly when dealing with data generated by the BoNeSi tool. However, Mohak's CNN did well using data that was entirely Simu5G-generated ("Mixed Simu5G" dataset). The basic logistic regression model detected UDP flood attacks based on packet length. However, it was not sufficiently robust against complex attacks. The models were deployed in a Multi-access Edge Computing (MEC) application in the 5G simulator, Simu5G. According to the results, the models performed poorly when deployed in the simulation, partly due to the models and partly due to the implementation. Although there is room for improvement, particularly in the areas of data collection and analysis, the study showed that ML-based detection and prevention using a MEC application is feasible in 5G simulation environments. (Less)
Popular Abstract
Today's society is dependent on well functioning information technology (IT) and network services like 5G. "Bad actors" such as individuals, groups or even nation states, use cyber attacks of many kinds to affect the state of critical services and infrastructure on which modern society depends. One of these cyber attacks is called "Distributed Denial of Service" (DDoS) attacks. DDoS is when a bad actor uses a distributed network of bots to overwhelm a service or network to take it offline - thereby denying its users of service. Close to home, the Swedish phone based identification platform, BankID, was recently hit with this type of attack taking it offline for several hours. This led to Swedish citizens losing the ability to read their... (More)
Today's society is dependent on well functioning information technology (IT) and network services like 5G. "Bad actors" such as individuals, groups or even nation states, use cyber attacks of many kinds to affect the state of critical services and infrastructure on which modern society depends. One of these cyber attacks is called "Distributed Denial of Service" (DDoS) attacks. DDoS is when a bad actor uses a distributed network of bots to overwhelm a service or network to take it offline - thereby denying its users of service. Close to home, the Swedish phone based identification platform, BankID, was recently hit with this type of attack taking it offline for several hours. This led to Swedish citizens losing the ability to read their government email, make bank payments and send money to friends.
As mentioned, these types of attacks are done using botnets. Botnets consist of many thousands of devices which many people have in their homes and pockets. Some types of DDoS attacks not only affect the service that they are targeting but also the network itself. In the case of many mobile "Internet of Things" (IoT) devices, such as phones, smart things such as light bulbs, sensors, thermostats and so on, that network is the 5G network. The 5G network is powerful enough to be used, not only for fast surfing and video streaming, but also for critical societal tasks such as car-to-car communication, remote surgery and of course, phone communication between important persons and organisations.

Unfortunately, studying DDoS attacks and their effect on the 5G network infrastructure is difficult, as the "good guys" cannot launch attacks on the network to study it - as that would impact the network negatively. Instead, what this study has done is to use a well-established 5G simulator (Simu5G) and simulate both the network and the attacks.
Several previous studies have been done that focused on the detection of DDoS attacks using Machine Learning (ML). However, this research focused primarily on the ML models themselves and not on the 5G infrastructure nor on how to implement the models and use them in a network. This study addresses that directly by taking some of these ML models and deploying them in a Multi-access Edge Computing (MEC) application. A MEC is an application that sits very close to the 5G network's edge - meaning close to the antennas and base station which the users connect to. The MEC that was developed in this study has the power to read all of the raw data going through the network and use the ML model to identify which network users are attackers/malicious users and which are benign users. In the real world, "a benign user" would be any device not actively performing an attack. In the study, this was simplified to any device sending very little traffic.
Like any study, this one is not perfect, and the results show this. While the study successfully trains existing ML models on data from the Simu5G simulator and even develops a new simpler model for detecting DDoS traffic, when deploying the model in the MEC the behaviour did not turn out as expected. Essentially, the ML models were too simple and looked only at individual data "packets", thus inferring which users were malicious based on too simple information. The authors discuss that a model that sees the entire communication flow, which would include the data rate (how much data per second), would probably lead to better results. Secondly, implementing the ML model in the MEC came with several challenges, for example, deciding on what action the MEC should take after it had identified a malicious device. In this work, the device was silenced, meaning that it was still able to send data, only very slowly. A better action would have been to block it at the base station, as the network would not be loaded by the attacker if he is blocked before his data reaches it.

To conclude, this study investigates how DDoS attacks can be detected and even prevented. It does this by training ML models and implementing them in a MEC application at the 5G network's edge. Thus, hopefully, laying some groundwork in protecting critical infrastructure that relies on the network. (Less)
Please use this url to cite or link to this publication:
author
Tayebi, Elham LU and Hansen, Lars Breum LU
supervisor
organization
course
EITM01 20251
year
type
H2 - Master's Degree (Two Years)
subject
keywords
5G Networks, Distributed Denial of Service (DDoS), Machine Learning, Convolutional Neural Network (CNN), Logistic Regression, Simu5G, BoNeSi, Multi-access Edge Computing(MEC), Dataset Generation, Generalisation
report number
LU/LTH-EIT 2025-1051
language
English
id
9190115
date added to LUP
2025-06-02 14:03:48
date last changed
2025-06-03 07:23:42
@misc{9190115,
  abstract     = {{The increasing use of 5G networks and their application in critical services makes them vulnerable to Distributed Denial of Service (DDoS) attacks. This thesis investigates the detection and mitigation of DDoS attacks in 5G networks using machine learning (ML) methods. In particular, it analyses two exciting convolutional neural network (CNN)-based models: the LUCID model and the Mohak model, and introduces a simpler logistic regression model based solely on packet length. Three datasets were used to evaluate their performance: the publicly available CICDDoS2019 (only UDP flood traffic) and two newly generated simulated datasets – "BoNeSi+Simu5G" and "Mixed Simu5G" datasets.
According to the evaluations, the LUCID and Mohak models struggled to generalise beyond their initial training dataset (CICDDoS2019), particularly when dealing with data generated by the BoNeSi tool. However, Mohak's CNN did well using data that was entirely Simu5G-generated ("Mixed Simu5G" dataset). The basic logistic regression model detected UDP flood attacks based on packet length. However, it was not sufficiently robust against complex attacks. The models were deployed in a Multi-access Edge Computing (MEC) application in the 5G simulator, Simu5G. According to the results, the models performed poorly when deployed in the simulation, partly due to the models and partly due to the implementation. Although there is room for improvement, particularly in the areas of data collection and analysis, the study showed that ML-based detection and prevention using a MEC application is feasible in 5G simulation environments.}},
  author       = {{Tayebi, Elham and Hansen, Lars Breum}},
  language     = {{eng}},
  note         = {{Student Paper}},
  title        = {{5G DDoS Simulation, Machine Learning Models & Multi-Access Edge Computing Applications for Attack Detection and Prevention}},
  year         = {{2025}},
}